New survey reveals SME PCI compliance and security crisis

Smaller merchants are systematically failing to engage with PCI compliance programs, according to a new acquirer survey from Sysnet Global Solutions, a leading provider of cyber security and compliance solutions to the payments industry.

The survey revealed that all acquirers believe small merchants are not effectively engaging with PCI programs, with many identifying the challenges small merchants face, including a lack of knowledge, a lack of urgency and a lack of time to dedicate to security and compliance – a worrying trend.

As a result, the vast majority of acquirers indicated they would like their compliance rates to be higher, with most aiming for minimum 70% compliance rate, and more than 15% targeting near-perfect compliance levels of 90%+. Acquirers are split on how to achieve this. The majority of respondents (76%) favour regular communication (i.e. calls, emails), while managed security and compliance service and merchant education prove equally as effective with 72% favouring each.

“We conducted this survey to put some structure on the many conversations we have had with acquiring organisations who feel they’re fighting a losing battle when it comes to getting smaller businesses secure and compliant,” said Gabriel Moynagh, CEO at Sysnet Global Solutions. “PCI non-compliance fees seem like a good idea to prompt smaller businesses to take action, but the real problem is that they just don’t have the knowledge, time or resources to get and maintain compliance.”

In reality, over half (56%) of acquirers do not believe fees drive compliance, and agree that the industry needs to wean itself off non-compliance revenue, which is a significant contributory factor in merchant attrition.

Sysnet’s survey also revealed that 44% of respondents consider non-compliance fees to damage their brand as an acquirer, and nearly every acquirer agreed that they need to do more to provide an SME offering that helps these merchants to secure their business and raise PCI compliance rates.

Wally Mlynarski, Chief Product Officer at Elavon, commented, “It is likely that PCI compliance will continue to evolve over the next five years, and it’s important for us to continue to develop and grow our SME offering by adding new value to our payment solutions. Working with Sysnet, we are already providing our SMEs with managed PCI compliance and cyber security tools, eliminating the need for them to navigate the complexities of the PCI standards, or figure out the appropriate security tools. Equally important, we are making headway in the move away from non-compliance fees as the only means to drive compliance rates and are already seeing positive results.”

“We’ve always looked for ways to improve the self-assessment process for smaller merchants, and have concluded that what those businesses really need is help. Our managed compliance and security solution, Proactive Data Security (PDS), not only helps merchants complete the compliance process, it also identifies and installs the security tools necessary to protect the business. A double-win for merchants, PDS reduces the risk of costly data breaches, while eliminating monthly non-compliance fees – and it costs the same or even less than they’re currently paying in non-compliance fees.”